# Static Analysis

Static analysis discipline for automated security and quality scanning.

## Rules

1. **Run static analysis before manual review.** Semgrep, CodeQL, or language linters catch known patterns. Humans catch logic flaws static tools miss. Do both, in that order.

2. **Triage findings by exploitability.** A theoretical issue in dead code is not the same as SQL injection on a public endpoint. Severity reflects reachable impact.

3. **Variant analysis on every real finding.** When you find one instance of a bad pattern, search the codebase for siblings. One finding is often a family.

4. **Custom rules for your domain.** Generic rules catch generic bugs. Write Semgrep rules for your auth patterns, your ORM usage, your API conventions.

5. **CI gates on critical findings.** Critical and high severity block merge. Medium gets a ticket. Don't let the scanner run without enforcing results.

## What This Replaces

Manual-only security review, fixing one instance while variants remain, and scanners that report without gating.

## Official Source

Distilled from Trail of Bits security skills.
Full upstream: https://officialskills.sh/trailofbits/skills/static-analysis